Updated minetest packages fix security vulnerabilities

Mod security sandbox escape. CVE-2026-40959 HTTP API and insecure environment access control bypass. CVE-2026-40960...

PT-2026-46884

Summary A non-admin API user with integration:create ACL privilege can escalate to full administrator by creating an integration with admin: true through the Sync API POST /api/ action/sync. The regular integration endpoint POST /api/integration correctly blocks this, but the Sync API bypasses th...

Linux Distros Unpatched Vulnerability : CVE-2026-41888

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.1, tag deletion via the DELETE /v2//manifests/ endpoint bypasses the...

CVE-2026-8135

Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution due to insecure deserialization occurring in the ExpressEntryList block controller. An rogue administrator with privileges to add blocks to an area can bypass the intended protection mechanism fromCIF === true, which normally...

CVE-2026-8135

Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution via insecure deserialization in the ExpressEntryList block controller. A rogue admin with block-adding privileges can bypass protection by abusing REST API requests; json_decode() converts the string "true" to PHP Boolean true, a...

CVE-2026-45672 Open WebUI: Jupyter code execution works despite `ENABLE_CODE_EXECUTION=false` — feature gate bypassed

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.12, the /api/v1/utils/code/execute endpoint executes arbitrary Python code via Jupyter for any verified user, even when the admin has set ENABLECODEEXECUTION=false. The feature gate is...

Velociraptor 安全漏洞

Velociraptor is an open-source tool developed by Velocidex, designed for querying and collecting host-based status information using the Velociraptor Query Language VQL. Versions of Velociraptor prior to 0.76.4 contained security vulnerabilities. These vulnerabilities were due to a...

CVE-2026-34587 Kirby has Server-Side Template Injection (SSTI) via double template resolution in option rendering

Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint site/blueprints/users/.... ...

MiracleLinux 8 : resource-agents-4.9.0-54.el8_10.27 (AXSA:2026-456:03)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2026-456:03 advisory. urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion CVE-2025-66418 urllib3: urllib3 Streaming API improperly handles highly...

CVE-2026-0664 Royal Elementor Addons <= 1.7.1049 - Authenticated (Contributor+) Stored Cross-Site Scripting via REST API Meta Bypass

The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buttontext' parameter in all versions up to, and including, 1.7.1049 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2026-33527 Parse Server: Session update endpoint allows overwriting server-generated session fields

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.57 and 9.6.0-alpha.48, an authenticated user can overwrite server-generated session fields such as expiresAt and createdWith when updating their own session via the REST...

CVE-2026-30849 MantisBT SOAP API has an authentication bypass vulnerability on MySQL

Mantis Bug Tracker MantisBT is an open source issue tracker. Versions prior to 2.28.1 running on MySQL family databases are affected by an authentication bypass vulnerability in the SOAP API, as a result of an improper type checking on the password parameter. Other database backends are not...

Decompression bomb bypass via negative max_length in streaming API (incomplete fix for CVE-2025-66471)

Description The fix for CVE-2025-66471 in urllib3 2.6.0 added maxlength support to all decoders to prevent decompression bombs when using the streaming API. However, three independent code paths in response.py bypass this protection in urllib3 2.6.3 latest. Bypass 1 — Negative maxlength from buff...

EUVD-2026-10888

Parse Server: Classes GraphQLConfig and Audience master key bypass via generic class routes...

CVE-2026-28359

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Editor role can inject arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API. This issue has been patched in version 0.301.3...

CVE-2026-28286

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, the application enforces restrictions in the frontend/UI to prevent users from creating files or folders in internal OS paths. However, when interacting directly with the API, th...

EUVD-2026-9206

ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, the application enforces restrictions in the frontend/UI to prevent users from creating files or folders in internal OS paths. However, when interacting directly with the API, th...

Mattermost fails to enforce invite permissions when updating team settings

Mattermost versions 10.11.x = 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561...

CVE-2025-14573 Team Admin Bypass of Invite Permissions via allow_open_invite Field

Mattermost versions 10.11.x = 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561...

MiracleLinux 8 : python3.12-urllib3-1.26.19-2.el8_10 (AXSA:2026-092:01)

The remote MiracleLinux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2026-092:01 advisory. urllib3: urllib3: Unbounded decompression chain leads to resource exhaustion CVE-2025-66418 urllib3: urllib3 Streaming API improperly handles highly...